Solved

Spam Problem

Posted on 2010-08-27
15
2,433 Views
Last Modified: 2012-05-10
Hi,
We run Exchange 2007 at our office.  One server is dedicated to Edge Transport, and the other server is Mailbox, Hub Transport and Client Access.  Some of the long time people at our office who have been here for 10 years get LOTS of spam daily.  The president of the company averages about 200 spam per day.

The Edge transport server really should really be taking care of this problem.
Here are some of the settings we use:
Content Filtering
Delete Messages -- Unchecked
Reject Messages -- Checked for SCL 7
Quarantine Messages -- Checked for SCL 6

Sender ID is enabled.

Sender Reputation Properties
Sender Confidence Level -- Checked
Action: 7

I updated to Exchange2007 SP3 last night so Version: 08.03.0083.000 is running on both of our servers.  Everyone is still getting the same amount of spam.

We are even using RBL's
zen.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
dnsbl-1.uceprotect.net
...and signed up to use Barracuda's service http://www.barracudacentral.org/rbl

It doesn't seem to make much of a difference at all.

I'm starting to wonder if we have an infected computer somewhere on our LAN that is spamming people.

How do all our settings look?
What do the experts have to say about this?

Thanks,
Jamie
0
Comment
Question by:jamorlando
15 Comments
 
LVL 7

Expert Comment

by:Paul Tozer
ID: 33542882
Can you get the message header from a few of the emails and post them
0
 

Author Comment

by:jamorlando
ID: 33543211
Here's a couple that went straight to inbox after our Exchange upgrade.  I have changed our actual company name to @ourcompany.com to protect the innocent :)

Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
 (192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
 2010 10:43:59 -0400
Received: from xs160.bestcarssite.info (64.202.124.160) by smtp.insertkey.com
 (192.168.210.130) with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010
 10:43:53 -0400
Message-ID: <7362058816035093985.4656b797cc6b9d7cc42e9bc3820d4e78.1119882280@xs160.bestcarssite.info>
Subject: NEWS ALERT: Apple iPad auctions for up to 95% off retail!
From: SwipeBids <SwipeBids@bestcarssite.info>
MIME-Version: 1.0
To: <joe@ourcompany.com>
Date: Fri, 27 Aug 2010 10:40:12 -0400
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Return-Path: SwipeBids@bestcarssite.info
X-MS-Exchange-Organization-PRD: bestcarssite.info
Received-SPF: Pass (exchange02.iks.bz: domain of SwipeBids@bestcarssite.info
 designates 64.202.124.160 as permitted sender) receiver=exchange02.iks.bz;
 client-ip=64.202.124.160; helo=xs160.bestcarssite.info;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Pass;OrigIP:64.202.124.160
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: PASS


Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
(192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
2010 00:22:48 -0400
Received: from otenet.gr (87.202.56.2) by smtp.insertkey.com (192.168.210.130)
with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010 00:22:48 -0400
From: Sale on sexual boosters <subazino3279@otenet.gr>
To: <tjohnson@ourcompany.com>
Subject: Dear customer tjohnson, here's 70% Sale invitation.. who replacing
Date: Fri, 27 Aug 2010 07:23:03 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <adfb8897-6bfd-415b-8a0e-73976cdf08fd@exchange02.iks.bz>
Return-Path: subazino3279@otenet.gr
X-MS-Exchange-Organization-PRD: otenet.gr
Received-SPF: None (exchange02.iks.bz: subazino3279@otenet.gr does not
designate permitted sender hosts)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:87.202.56.2
X-MS-Exchange-Organization-SCL: 3
X-MS-Exchange-Organization-SenderIdResult: NONE
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 33543589
See this document:
http://technet.microsoft.com/en-us/library/bb124696(EXCHG.80).aspx

The edge server requires tuning to aggressively block spam.  I'm not even convinced that by itself it would be a great solution without some other software like Forefront, GFI MailEssentials, Symantec Brightmail etc.
0
 

Author Comment

by:jamorlando
ID: 33544105
Trust me ... I've read about ALL these settings, and it doesn't seem to make a difference.  When I set them too aggressively, people start not receiving important business emails.

I think it's unacceptable that third party software be the solution to this problem.

In any case, I'm still wondering if someone on our network has a virus that's spamming people?  I have no idea how I would even test this unless we shut off every desktop and server here except for the two exchange servers.
0
 

Author Comment

by:jamorlando
ID: 33545442
If you notice in the first message header I posted, the SCL is 0!  How can that be????  The email address is from SwipeBids@bestcarssite.info ... even a 2 year old would know that's spam.

Come on guys, I know there has to be something to fix this.
0
 
LVL 7

Accepted Solution

by:
Philonator earned 333 total points
ID: 33549648
I agree with Fr0zT 100%, the edge blocking doesn't work well.  I have found it just take the worst of the worst out and that's it.  I do not think you have an infected machine on your local site.  Once your email is on a spam list, the spammers sell it to other spammers and it never ever stops.

I know you don't want a third party solution but Microsoft has a great virus/spam filter for under $1/yr/mailbox. Its called Forefront online protection for exchange.  
0
 

Author Comment

by:jamorlando
ID: 33558421
Philonator, I like that there is a free 30 day trial.  I'm going to set this up.  Has anyone used this product?  Success?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 7

Expert Comment

by:Philonator
ID: 33558680
I have tried it one one client and we are going to recommend it for more.  It is working sweet.  You can schedule a sales demo with them.  The most negative parts is that you need to sign a 3 yr agreement (but don't let that bother you.) and change mx records.  After that it is smooth sailing.

You basically redirect your mail to Microsoft first, they filter it, and then is sent to your exchange server.  There are other options you buy from them like archiving and encryption at the same low price.  Its relatively new, but I can see this product taking some serious market share from barracuda and others.

last two thoughts:  I hated the idea at first, but once it was in place I became a believer and  I swear I am not a sales rep for them!
0
 

Author Comment

by:jamorlando
ID: 33558704
It says $1.75 per user.  We have around 100 outlook users, however only about 10 of them get spam.  Can you only set it up for the 10 users, or would we have to pay for all 100?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558756
When you point the mx records all mail will be filtered.  So technically you need to buy it for all users and service accounts.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558805
BTW- buy it through a reseller like ingram or tech data and you will get the $1 a mailbox discounted price.
0
 

Author Comment

by:jamorlando
ID: 33558986
Awesome to know about Tech Data... we use them here all the time.
Another question:  Can we ditch our Edge Transport server if we get FOPE implemented?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559279
I would like to say yes, but is that all the edge server is doing?  When we implemented it we left everything is place first, and saw that it was doing what it advertised to do.  We then started removing equipment and programs without issue.
0
 

Author Comment

by:jamorlando
ID: 33559298
Ok, I'll feel it out.  I'm going to get the trial, and if I have any more questions, I'll put it in the discussion or open a new thread.  Thank you!
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559316
Post back to this thread either way what you do.  I think it would be helpful to others.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now